Malvertising campaign hits 10 million users in 10 days

Security Firm Cyphort Labs reported that 10 million users may have been infected in ten days by a malvertising and exploit kit campaign.

Nick Bilogorskiy, a security researcher at Cyphort revealed that 10 million users may have been infected in ten days due to a malvertising and exploit kit campaign. According to the expert threat actors behind the malvertising campaign used the popular Angler exploit kit to compromise million computers worldwide.

The campaign dates back to at least 11 July, the experts observed several infections across Asia, the US, and in some European countries.

“In the last 10 days, Cyphort Labs found many more infected domains – they are listed below. Please refrain going to these sites as they are dangerous. We have notified e-planning.net about this issue and they are actively working to resolve it. At least 10 million people have visited these websites and were potentially exposed to the Angler exploit kit in the last 10 days according to our estimates and data from SimilarWeb.” states the post published by the company.

As usually happens in malvertising campaigns, the attackers used to compromise websites with a large number of visitors, in this case among the websites exploited by hackers to spread the malware there were the Japanese branch of The Huffington Post, Magna entityreadms.com, and the Indonesian paper bisnis.com. Below the complete list of compromised domains.

7/16/2015

www.zeldadungeon.net

USA

1.1 Million visits per month

7/16/2015

www.mpora.com

India

0.6 Million visits per month

7/17/2015

www.tvjaa.com

Thailand

2.8 Million visits per month

7/19/2015

www.techz.vn

Vietnam

3.7 Million visits per month

7/19/2015

www.hello-pet.com

Indonesia

3.6 Million visits per month

7/22/2015

www.kienthuc.net.vn

Vietnam

7.2 Million visits per month

7/23/2015

www.hochi.co.jp

Japan

1.8 Million visits per month

7/23/2015

www.lavishcar.com

USA

0.9 Million visits per month

7/25/2015

www.yaoiotaku.com

USA

0.3 Million visits per month

7/25/2015

www.360kpop.com

Vietnam

0.6 Million visits per month

7/25/2015

www.piovegovernoladro.info

Italy

0.6 Million visits per month

7/25/2015

www.undertexter.se

Sweden

0.3 Million visits per month

7/26/2015

www.zougla.gr

Greece

4.4 Million visits per month

7/26/2015

www.sonicch.com

Japan

1.1 Million visits per month

7/27/2015

www.skypech.com

Japan

0.5 Million visits per month

7/27/2015

www.databazeknih.cz

Czech Republic

0.7 Million visits per month

“All of these appear to be top popular websites in various countries including Vietnam, Turkey, Japan, Saudi Arabia, and Germany.”

Bilogorskiy confirmed that Cyphort Labs has advised the companies affected by the malvertising campaign, including Microsoft Azure, and the ad platforms E-Planning.net and adtech.de.

The experts at Cyphort Labs noticed that cyber criminals adopted any precaution to avoid to raise suspicion, including the use of multiple SSL redirectors to encrypt traffic.

Below an example of redirection chain adopted for this campaign.

1 start

www.zeldadungeon.net

2 malvert

ads.us.e-planning.net

3_SSL_redirect

ert-fr3-54.azurewebsites.net

4_SSL_redirect

abcmenorca.net

5

abzercdpeab.alver.miefifreetechbooks.net

6

abzercdpeab.lojad.gahwethats.net

7 Angler

defis.uloozkolozzeum.net/viewtopic.php?<malware>

Malvertising campaigns are very insidious, in June security experts noticed a spike in the malicious activity, hackers served malicious ads on popular sites including The Drudge Report, CBS Sports, the PerezHilton magazine, Yahoo, Verizon FiOS, and eBay UK.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.